Instructure, the company that runs Canvas for schools and universities, says hackers breached its systems

Instructure disclosed Friday that a 'criminal threat actor' breached its systems. The company runs Canvas, the learning management platform used by schools, universities, and corporate training programs - and a successful breach exposes student records, teacher records, course content, and grades. Instructure has not said how many users are affected or what data was taken, only that outside forensics are investigating. Canvas Data 2 and Canvas Beta have been in maintenance since May 1, with customers warned about API key issues. The pattern matches the January 2025 PowerSchool breach, which exposed data on 62 million students and is still being followed by ransom demands against individual schools.

Check

If your school or organization uses Canvas, audit which API keys you have integrated with Canvas and rotate any issued in the past 6 months as a precaution.

Affected

Schools, universities, and corporate training organizations using Canvas. Student records, teacher records, course content, gradebook data, and uploaded files are all in scope until Instructure confirms otherwise. Salesforce-integrated Canvas tenants may be at higher risk - 2025's Instructure incident traced to a Salesforce compromise.

Fix

Rotate Canvas API keys, especially for downstream tools (gradebook integrations, SSO, third-party plugins). Brief students, parents, and faculty that any 'Canvas account verification' email is potentially hostile - go to canvas.instructure.com directly. Request Instructure's incident notification timeline in writing and pre-prepare your own student/parent notification template.